Convert to the agreed ID format (#87)

Fixes #42 Signed-off-by: Ben Cotton <[email protected]>
ossf · Nov 27, 2024 · f5b41f3 · f5b41f3
1 parent bbc0f0b
commit f5b41f3
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 39 deletions.
diff --git a/README.md b/README.md
@@ -9,9 +9,9 @@ All definitions are maintained in YAML format for tandem machine and human readi
 Each entry has the following values:
 
 - **ID**:
-  - Entries 1-39 are reserved for maturity level 1
-  - Entries 40-69 are reserved for maturity level 2
-  - Entries 70-99 are reserved for maturity level 3
+  - Entries are of the form OSPS-_Category_-_Index_ where
+    - *Category* is a two-letter abbreviated form of the categories listed below
+    - *Index* is a sequentially-assigned two-digit number. Numbers are unique within a category but not between categories
 - **Maturity Level**:
   - Level 1: for any code or non-code project with any number of maintainers or users
   - Level 2: for any code project that has at least 2 maintainers and a small number of consistent users

diff --git a/baseline.yaml b/baseline.yaml
@@ -10,9 +10,11 @@
 # Citeria
 #
 # ID is a unique identifier for the requirement.
-# 1-39 are resurved for maturity level 1, 40-69
-# are reserved for maturity level 2, and 70-99 are
-# reserved for maturity level 3.
+# The form is OSPS-<CAT>-<NUM> where
+# - <CAT> is a two-letter abbreviation of the
+#   category
+# - <NUM> is a sequentially-assigned two-digit
+#   number within a category
 #
 # maturity_level is the level of maturity for the
 # requirement. 1 is the lowest level of maturity,
@@ -40,7 +42,7 @@
 # recommendations or best practices.
 #
 criteria:
-  - id: OSPS-01
+  - id: OSPS-AC-01
     maturity_level: 1
     category: Access Control
     criteria: |
@@ -64,7 +66,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None yet
-  - id: OSPS-02
+  - id: OSPS-AC-02
     maturity_level: 1
     category: Access Control
     criteria: |
@@ -85,7 +87,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None yet
-  - id: OSPS-03
+  - id: OSPS-AC-03
     maturity_level: 1
     category: Access Control
     criteria: |
@@ -106,7 +108,7 @@ criteria:
     control_mappings: # TODO
     scorecard_probe:
       - blocksForcePushOnBranches
-  - id: OSPS-04
+  - id: OSPS-AC-04
     maturity_level: 1
     category: Access Control
     criteria: |
@@ -125,7 +127,7 @@ criteria:
     control_mappings: # TODO
     scorecard_probe:
       - blocksDeleteOnBranches
-  - id: OSPS-05
+  - id: OSPS-BR-01
     maturity_level: 1
     category: Build & Release
     criteria: |
@@ -144,7 +146,7 @@ criteria:
     control_mappings: # TODO
     scorecard_probe:
       - hasDangerousWorkflowScriptInjection
-  - id: OSPS-06
+  - id: OSPS-BR-02
     maturity_level: 1 # TODO: This should be lv2
     category: Build & Release
     criteria: |
@@ -169,7 +171,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None, would need to be paired with SI
-  - id: OSPS-07
+  - id: OSPS-BR-03
     maturity_level: 1
     category: Build & Release
     criteria: |
@@ -191,7 +193,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None, would need to be paired with SI
-  - id: OSPS-09
+  - id: OSPS-DO-01
     maturity_level: 1
     category: Documentation
     criteria: |
@@ -214,7 +216,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None yet
-  - id: OSPS-10
+  - id: OSPS-DO-02
     maturity_level: 1
     category: Documentation
     criteria: |
@@ -235,7 +237,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None, may not be suitable
-  - id: OSPS-11
+  - id: OSPS-DO-03
     maturity_level: 2
     category: Documentation
     criteria: |
@@ -255,7 +257,7 @@ criteria:
       available, include highly-visible warnings.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-12
+  - id: OSPS-QA-01
     maturity_level: 1
     category: Quality
     criteria: |
@@ -276,7 +278,7 @@ criteria:
       that would impact the repository URL.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-13
+  - id: OSPS-QA-02
     maturity_level: 1
     category: Quality
     criteria: |
@@ -297,7 +299,7 @@ criteria:
       author of any commits.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-14
+  - id: OSPS-LE-01
     maturity_level: 2
     category: Legal
     criteria: |
@@ -322,7 +324,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None, may not be suitable
-  - id: OSPS-15
+  - id: OSPS-LE-02
     maturity_level: 1
     category: Legal
     criteria: |
@@ -354,7 +356,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - hasPermissiveLicense # Check this
-  - id: OSPS-16
+  - id: OSPS-LE-03
     maturity_level: 1
     category: Legal
     criteria: |
@@ -378,7 +380,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - hasLicenseFile
-  - id: OSPS-17
+  - id: OSPS-LE-04
     maturity_level: 1
     category: Legal
     criteria: |
@@ -410,7 +412,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # None, may need to be paired with SI
-  - id: OSPS-40
+  - id: OSPS-AC-05
     maturity_level: 2
     category: Access Control
     criteria: |
@@ -435,7 +437,7 @@ criteria:
     scorecard_probe:
       - topLevelPermissions
       - jobLevelPermissions
-  - id: OSPS-41
+  - id: OSPS-AC-06
     maturity_level: 2
     category: Access Control
     criteria: |
@@ -464,7 +466,7 @@ criteria:
       trusted organization.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-42
+  - id: OSPS-BR-04
     maturity_level: 2
     category: Build & Release
     criteria: |
@@ -484,7 +486,7 @@ criteria:
       processes.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-43
+  - id: OSPS-BR-05
     maturity_level: 2
     category: Build & Release
     criteria: |
@@ -509,7 +511,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # TODO
-  - id: OSPS-44
+  - id: OSPS-BR-06
     maturity_level: 2
     category: Build & Release
     criteria: |
@@ -534,7 +536,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # TODO, this might be possible if paired with SI to find the release location
-  - id: OSPS-45
+  - id: OSPS-DO-04
     maturity_level: 2
     category: Documentation
     criteria: |
@@ -560,7 +562,7 @@ criteria:
     scorecard_probe:
       - securityPolicyPresent
       - securityPolicyContainsVulnerabilityDisclosure
-  - id: OSPS-46
+  - id: OSPS-DO-05
     maturity_level: 2
     category: Documentation
     criteria: |
@@ -585,7 +587,7 @@ criteria:
       be triaged and resolved.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-47
+  - id: OSPS-DO-06
     maturity_level: 2
     category: Documentation
     criteria: |
@@ -611,7 +613,7 @@ criteria:
       approvers.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-48
+  - id: OSPS-DO-07
     maturity_level: 2
     category: Documentation
     criteria: |
@@ -632,7 +634,7 @@ criteria:
       influence another segment in the system.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-49
+  - id: OSPS-QA-03
     maturity_level: 2
     category: Quality
     criteria: |
@@ -666,7 +668,7 @@ criteria:
       - hasReleaseSBOM
       - # TODO: check for non-sbom dependency files
 
-  - id: OSPS-50
+  - id: OSPS-QA-04
     maturity_level: 2
     category: Quality
     criteria: |
@@ -696,7 +698,7 @@ criteria:
     scorecard_probe:
       - runsStatusChecksBeforeMerging
       - # TODO: check for checks passing?
-  - id: OSPS-51
+  - id: OSPS-QA-05
     maturity_level: 3
     category: Quality
     criteria: |
@@ -728,7 +730,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # TODO, this may be possible if paired with SI to find the subproject
-  - id: OSPS-52
+  - id: OSPS-QA-06
     maturity_level: 2
     category: Quality
     criteria: |
@@ -753,7 +755,7 @@ criteria:
     control_mappings: # TODO
     scorecard_probe:
       - hasBinaryArtifacts
-  - id: OSPS-70
+  - id: OSPS-AC-07
     maturity_level: 3
     category: Access Control
     criteria: |
@@ -778,7 +780,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # TODO
-  - id: OSPS-71
+  - id: OSPS-BR-07
     maturity_level: 3
     category: Build & Release
     criteria: |
@@ -800,7 +802,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe:
       - # TODO: this is about policy, but we should also look for evidence of SCA
-  - id: OSPS-72
+  - id: OSPS-DO-08
     maturity_level: 3
     category: Documentation
     criteria: |
@@ -822,7 +824,7 @@ criteria:
       vulnerabilities.
     control_mappings: # TODO
     security_insights_value: # TODO
-  - id: OSPS-73
+  - id: OSPS-DO-09
     maturity_level: 3
     category: Documentation
     criteria: |